The Certificate Interoperability test assures VPN users that IPsec systems are generally interoperable with other IPsec systems when using PKIX certificates for authentication. To pass, a system has to interoperate with at least three quarters of the other systems that are in the test. This test is similar to the VPNC AES Interoperability test, except that the systems use PKIX certificates for authentication instead of preshared secrets.
Every system in the test is tested against every other system. Most pairs of systems are tested twice, switching the roles of initiator and responder. For two systems to be considered interoperable, they each must be able to be initiator or responder. An exception to this rule is that systems that are typically used as remote-access VPN clients are always tested as the initiator because that is how they are almost always deployed by VPN users. If a pair of systems fails a test, it is noted whether or not an IPsec tunnel could be created with one of the systems acting as the initiator, or whether no tunnel could ever be set up.
The Certificate Interoperability test mirrors typical use of IPsec systems in VPNs that use a single internal certificate authority, that is, one that is run by the organization itself. A gateway system protects a network of systems behind the gateway; a remote-access client protects either just the single system on which it is running, or a pseudo-network of addresses that refer to the single system.
As specified in the VPNC documentation profile, in IKE Phase 1, each system uses 128-bit AES, SHA-1, and MODP group 2 (1024-bit). In IKE Phase 2, each system uses 128-bit AES, SHA-1, ESP tunnel mode, and PFS with MODP group 2 (1024 bits). For this test, certificates were RSA with 2048-bit keys.
The following are the results from the testing, including notes that might affect users checking the results on their own.
AuthenTec QuickSec Toolkit (version 5.0) passed all tests in both directions with all other participants.
Cisco ASA Family (version 8.4) passed all tests in both directions with all other participants.
SonicWALL NSA and NSA E-Class series (version 5.2) passed all tests in both directions with all other participants.
SonicWALL TZ and PRO products running SonicOS Enhanced (version 5.3) passed all tests in both directions with all other participants.
Stonesoft StoneGate (version 5.2.1) passed all tests in both directions with all other participants.
Wind River IPIKE (version 6.9) passed all tests in both directions with all other participants.
The following are links to the files showing each pair of systems interoperating. Each file shows an expanded dump of the IKE messages setting up the secure IPsec tunnel. The information was collected with "tethereal", part of the excellent freeware "ethereal" network diagnostics package.
It is unlikely that this information is of much value to typical users; however, without it, you have no proof that the two systems actually were able to interoperate.
AuthenTec QuickSec toolkit initiating to:
Cisco ASA Family
SonicWALL NSA and NSA E-Class series
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft StoneGate
WindRiver IPIKE
Cisco ASA Family initiating to:
AuthenTec QuickSec toolkit
SonicWALL NSA and NSA E-Class series
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft StoneGate
WindRiver IPIKE
SonicWALL NSA and NSA E-Class series initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft StoneGate
WindRiver IPIKE
SonicWALL TZ and PRO products running SonicOS Enhanced initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
SonicWALL NSA and NSA E-Class series
Stonesoft StoneGate
WindRiver IPIKE
Stonesoft StoneGate initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
SonicWALL NSA and NSA E-Class series
SonicWALL TZ and PRO products running SonicOS Enhanced
WindRiver IPIKE
WindRiver IPIKE initiating to:
AuthenTec QuickSec toolkit
Cisco ASA Family
SonicWALL NSA and NSA E-Class series
SonicWALL TZ and PRO products running SonicOS Enhanced
Stonesoft StoneGate
If you have comments or questions about VPNC's testing, please feel free to send them to Paul Hoffman, VPNC's director, at paul.hoffman@vpnc.org.
